Domain consolidation, other IAM projects moving forward
UIT’s Identity and Access Management (IAM) team, which, among other things, governs and enforces user access of technologies at the U, continues to expand the footprint of central Active Directory (AD) systems. AD is the directory service developed by Microsoft that automates network management of user data, security, and distributed resources.
Currently, the team’s key priorities are consolidating UMail services into the ad.utah.edu domain to deliver seamless user logon experiences for email, Skype for Business, and the future Office 365 offering.
One of the IAM team’s major focuses is consolidating “child” domains into the central AD.
Last year, Microsoft met with IAM members, pre-identified IT administrators, and UIT’s Information Security Office (ISO), UMail group, and network team. Microsoft discovered that 20 “trusted” partner domains existed beyond the central AD system – meaning each department managed and maintained its own AD, while an additional six were “child” domains. Microsoft collected all the data and issued a best practices-based analysis indicating that the University is running too many parallel directories, and in most cases, would be served better to consolidate.
“The benefit is zero administration,” said IAM Program Associate Director Subhasish Mitra. “It’s completely backed up, and it’s completely redundant.”
Following the assessment, Mitra started discussing a consolidation roadmap with various IT departments. UIT’s Center for High Performance Computing (CHPC) was the first partner to completely collaborate and collapse all of its services into the central AD.
CHPC Systems Administrator David Heidorn is the organization’s Windows specialist. When arriving at the University in October of 2013, he inherited a child domain running Windows Server 2008, which he upgraded to 2012 R2, with the help of IAM System Engineers Steve Adams and Daniel Burtenshaw, and CHPC Systems Administrators Steve Harper, Irvin Allen and David Richardson.
“We knew that moving the Windows computers and servers over to [the central AD] would be the least intensive part of the process, and that consideration had to be thought about for our Linux side,” Heidorn said, noting that Linux runs more than 95 percent of the world’s HPC clusters.
Heidorn said the move has allowed him to focus on other priorities.
“This has been a great benefit for us at CHPC. It has freed me up from running two domain controllers for the child domain and has allowed me to focus on managing our systems – whether through writing group policy objects, scripts or testing and implementing new projects,” he said. “With campus having more domain controllers and a dedicated staff to running them, the SLAs [Service Level Agreements] they can provide exceed what I can do as an individual.”
“I am confident in Steve’s and Daniel’s abilities as they are both experts with Active Directory, and by making this change I have gained more time to focus on CHPC’s core mission – assisting researchers.”
The IAM team is busy consolidating domains run by partner organizations, such as the College of Social Behavioral Science, College of Humanities, and others. The first trusted partners to consolidate into the central AD were the College of Humanities, Marriott Library Computing Labs and UIT’s University Support Services (USS); the Health Science/Hospital (hsc.ad.utah.edu) domain is up next, but that will depend on the Windows 10 rollout and setting up infrastructure to support Azure, Microsoft’s cloud service platform.
Mitra hopes other trusted partners will follow suit.
“The bottom line is we need support from each of the partner organizations,” he said.
Other ongoing IAM projects and initiatives
Web access management
Mitra and his team continue to work towards a “one person, one identity” user experience, allowing access to various accounts such as UMail, Box, Canvas, and Campus Information Services (CIS) with a single sign-on. Currently, some University websites and applications require a uNID and password, while others call for a person’s @utah.edu email and password.
Two-factor ID
The University’s two-factor authentication (2FA) program with Duo Security & RSA Auth continues to gain momentum. These technologies are now being used by various IT departments on campus and at the hospitals and clinics.
Organizations reporting to Senior Chief Administrator and Chief Financial Officer John Nixon – Administrative Services, Facilities Management, Financial & Business Services, and Public Safety – are in the process of joining the Duo 2FA pilot. Original pilot participants included University Information Technology (UIT), Campus Human Resources, and Utah Education Network (UEN). Learn more about the DUO pilot efforts.
Additionally, 2FA efforts are expanding with use of remote Citrix Netscaler Gateway access for hospitals/clinics Information Technology Services (ITS) employees and offshore hospital medical revenue and billing vendors. ITS employees are currently enrolling devices with RSA 2FA and will be challenged for 2FA when logging into Citrix remotely beginning at the end of April. Offshore vendors will be on-boarded with 2FA in the coming months as training and communication materials are developed and shared.
Please contact Mitra if you have any questions about the IAM program.
Node 4
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.